AI 助理
备案控制台
开发者社区 安全 文章 正文

DHCP欺骗实验操作及防护措施

2023-05-23 236
版权
版权声明:
本文内容由阿里云实名注册用户自发贡献,版权归原作者所有,阿里云开发者社区不拥有其著作权,亦不承担相应法律责任。具体规则请查看《 阿里云开发者社区用户服务协议》和 《阿里云开发者社区知识产权保护指引》。如果您发现本社区中有涉嫌抄袭的内容,填写 侵权投诉表单进行举报,一经查实,本社区将立刻删除涉嫌侵权内容。
本文涉及的产品
公共DNS(含HTTPDNS解析),每月1000万次HTTP解析
云解析 DNS,旗舰版 1个月
全局流量管理 GTM,标准版 1个月
简介: DHCP欺骗实验操作及防护措施

1、实验拓扑搭建

20200730114858516.png

2、配置参数

(1)PC1

20200730115031938.png

(2)PC2

20200730115105265.png

(3)SW1配置参数

[SW1]vlan batch 10 20
[SW1]interface Ethernet0/0/1  
[SW1-Ethernet0/0/1]display this 
#
interface Ethernet0/0/1
 port link-type access
 port default vlan 10
#
return
[SW1-Ethernet0/0/1]
[SW1]interface Ethernet0/0/2
[SW1-Ethernet0/0/2]display this 
#
interface Ethernet0/0/2
 port link-type access
 port default vlan 20
#
return
[SW1-Ethernet0/0/2]quit
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]dis thi
#
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10 20
#
return
[SW1-GigabitEthernet0/0/1]


(4)AR1配置参数(合法路由器)

[AR1]dhcp enable 
[AR1]ip pool TV
[AR1-ip-pool-TV]display this 
[V200R003C00]
#
ip pool TV
 gateway-list 10.1.1.254 
 network 10.1.1.0 mask 255.255.255.0 
 excluded-ip-address 10.1.1.1 
 lease day 2 hour 2 minute 2 
 dns-list 202.99.99.99 
#
return
[AR1-ip-pool-TV]quit
[AR1]ip pool VT
[AR1-ip-pool-VT]dis thi
[V200R003C00]
#
ip pool VT
 gateway-list 20.1.1.254 
 network 20.1.1.0 mask 255.255.255.0 
 excluded-ip-address 20.1.1.1 
 lease day 2 hour 2 minute 2 
 dns-list 202.99.99.99 
#
return
[AR1-ip-pool-VT]quit
[AR1]interface GigabitEthernet 0/0/0.1
[AR1-GigabitEthernet0/0/0.1]display this 
[V200R003C00]
#
interface GigabitEthernet0/0/0.1
 dot1q termination vid 10
 ip address 10.1.1.254 255.255.255.0 
 arp broadcast enable
 dhcp select global
#
return
[AR1-GigabitEthernet0/0/0.1]
[AR1-GigabitEthernet0/0/0.2]dis thi
[V200R003C00]
#
interface GigabitEthernet0/0/0.2
 dot1q termination vid 20
 ip address 20.1.1.254 255.255.255.0 
 arp broadcast enable
 dhcp select global
#
return
[AR1-GigabitEthernet0/0/0.2]


(5)AR2配置参数(黑客路由器)

[HEIKE]dhcp enable 
Info: The operation may take a few seconds. Please wait for a moment.done.
[HEIKE]ip pool IT
Info: It's successful to create an IP address pool.
[HEIKE-ip-pool-IT]gateway-list 1.1.1.254
[HEIKE-ip-pool-IT]network 1.1.1.0 mask 255.255.255.0
[HEIKE-ip-pool-IT]dns-list 202.99.99.99
[HEIKE-ip-pool-IT]lease day 2 hour 2 minute 2
[HEIKE-ip-pool-IT]excluded-ip-address 1.1.1.1
[HEIKE-ip-pool-IT]display this 
[V200R003C00]
#
ip pool IT
 gateway-list 1.1.1.254 
 network 1.1.1.0 mask 255.255.255.0 
 excluded-ip-address 1.1.1.1 
 lease day 2 hour 2 minute 2 
 dns-list 202.99.99.99 
#
return
[HEIKE]ip pool HR
Info: It's successful to create an IP address pool.
[HEIKE-ip-pool-HR]
[HEIKE-ip-pool-HR] gateway-list 2.2.2.254 
[HEIKE-ip-pool-HR]
[HEIKE-ip-pool-HR] network 2.2.2.0 mask 255.255.255.0 
[HEIKE-ip-pool-HR]
[HEIKE-ip-pool-HR] excluded-ip-address 2.2.2.2
[HEIKE-ip-pool-HR]
[HEIKE-ip-pool-HR] lease day 2 hour 2 minute 2 
[HEIKE-ip-pool-HR]
[HEIKE-ip-pool-HR] dns-list 202.99.99.99 
[HEIKE-ip-pool-HR]dis thi
[V200R003C00]
#
ip pool HR
 gateway-list 2.2.2.254 
 network 2.2.2.0 mask 255.255.255.0 
 excluded-ip-address 2.2.2.2 
 lease day 2 hour 2 minute 2 
 dns-list 202.99.99.99 
#
return
[HEIKE-ip-pool-HR]quit
[HEIKE]interface GigabitEthernet 0/0/0.1
[HEIKE-GigabitEthernet0/0/0.1]ip address 1.1.1.254 24
[HEIKE-GigabitEthernet0/0/0.1]dot1q termination vid 10
Jul 30 2020 10:42:56-08:00 HEIKE %%01IFNET/4/LINK_STATE(l)[2]:The line protocol 
IP on the interface GigabitEthernet0/0/0.1 has entered the UP state. 
[HEIKE-GigabitEthernet0/0/0.1]arp broadcast enable 
[HEIKE-GigabitEthernet0/0/0.1]dis thi
[V200R003C00]
#
interface GigabitEthernet0/0/0.1
 dot1q termination vid 10
 ip address 1.1.1.254 255.255.255.0 
 arp broadcast enable
#
return
[HEIKE-GigabitEthernet0/0/0.1]
[HEIKE]interface GigabitEthernet 0/0/0.2  
[HEIKE-GigabitEthernet0/0/0.2]ip address 2.2.2.254 24
[HEIKE-GigabitEthernet0/0/0.2]dot1q termination vid 20
Jul 30 2020 10:44:30-08:00 HEIKE %%01IFNET/4/LINK_STATE(l)[3]:The line protocol 
IP on the interface GigabitEthernet0/0/0.2 has entered the UP state. 
[HEIKE-GigabitEthernet0/0/0.2]arp broadcast enable 
[HEIKE-GigabitEthernet0/0/0.2]dis thi
[V200R003C00]
#
interface GigabitEthernet0/0/0.2
 dot1q termination vid 20
 ip address 2.2.2.254 255.255.255.0 
 arp broadcast enable
#
return
# 子接口下启用全局DHCP
[HEIKE-GigabitEthernet0/0/0.2]dhcp select global 
[HEIKE-GigabitEthernet0/0/0.2]dis thi
[V200R003C00]
#
interface GigabitEthernet0/0/0.2
 dot1q termination vid 20
 ip address 2.2.2.254 255.255.255.0 
 arp broadcast enable
 dhcp select global
#
return
[HEIKE-GigabitEthernet0/0/0.2]
[HEIKE]interface GigabitEthernet 0/0/0.1
[HEIKE-GigabitEthernet0/0/0.1]dhcp  select global 
[HEIKE-GigabitEthernet0/0/0.1]dis thi
[V200R003C00]
#
interface GigabitEthernet0/0/0.1
 dot1q termination vid 10
 ip address 1.1.1.254 255.255.255.0 
 arp broadcast enable
 dhcp select global
#
return
[HEIKE-GigabitEthernet0/0/0.1]


3、防护措施设置

使用DHCP Snooping防范DHCP欺骗攻击

DHCP 欺骗攻击过程:

1.首先攻击者伪装成DHCP客户端,发起大量的DHCP请求(可以用软件实现)。DHCP服务器收到请求后,把IP分配给伪装的DHCP客户端,由于DHCP服务器的IP地址数量是有限的,很快DHCP服务器上地址池的IP就会被消耗完,则DHCP服务器不再为其它客户端分配IP


2.第一步完成后,攻击者这时可以搭建一台DHCP服务器,则客户端的DHCP请求就会到非法的DHCP上请求IP,从而获取一个非法的IP地址。


DHCP Snpooing配置:

1.全局启用dhcp snooping

SW1-GigabitEthernet0/0/1

dhcp snooping enable

……………………………………………………………………………

2.将相应的端口(连接合法DHCP服务器的端口)划入trusted

SW1-GigabitEthernet0/0/1

dhcp snooping trusted

……………………………………………………………………………

3.SW1全局dhcp snooping和所连接的接口dhcp snooping都要开启

dhcp snooping enable

………………………………………………………………………………

4.开启dhcp snooping 防护功能时,要先开启DHCP服务(即dhcp enable)

dhcp enable

dhcp snooping enable

# 防护措施,在交换机的GE 0/0/1上设置参数
[SW1]dhcp enable 
Info: The operation may take a few seconds. Please wait for a moment.done.
[SW1]dhcp snooping enable //全局开启dhcp snooping
[SW1]
Jul 30 2020 11:33:38-08:00 SW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 23, the 
change loop count is 0, and the maximum number of records is 4095.
[SW1]interface GigabitEthernet 0/0/1
[SW1-GigabitEthernet0/0/1]dhcp snooping trusted 
Jul 30 2020 11:35:18-08:00 SW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 24, the 
change loop count is 0, and the maximum number of records is 4095.
[SW1-GigabitEthernet0/0/1]dis thi
#
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10 20
 dhcp snooping trusted
#
return
[SW1-GigabitEthernet0/0/1]
[SW1-GigabitEthernet0/0/1]dhcp snooping enable 
[SW1-GigabitEthernet0/0/1]dis thi
#
interface GigabitEthernet0/0/1
 port link-type trunk
 undo port trunk allow-pass vlan 1
 port trunk allow-pass vlan 10 20
 dhcp snooping enable
 dhcp snooping trusted
#
return
[SW1-GigabitEthernet0/0/1]
[SW1]interface Ethernet0/0/3  
[SW1-Ethernet0/0/3]dhcp snooping enable 
Jul 30 2020 11:39:08-08:00 SW1 DS/4/DATASYNC_CFGCHANGE:OID 1.3.6.1.4.1.2011.5.25
.191.3.1 configurations have been changed. The current change number is 25, the 
change loop count is 0, and the maximum number of records is 4095.
[SW1-Ethernet0/0/3]dis thi
#
interface Ethernet0/0/3
 port link-type trunk
 port trunk allow-pass vlan 10 20
 dhcp snooping enable
#
return
[SW1-Ethernet0/0/3]


4、PC1 获取DHCP地址

20200730121236124.png


5、PC2 获取DHCP地址

20200730121318865.png


6、中断合法AR1端口后,验证PC能否正常获取DHCP

当交换机GE 0/0/1的端口与AR1的GE 0/0/0的合法端口通信中断后,Pc1和Pc2重新获取DHCP地址时,无法获取。如图所示。

[AR1]interface GigabitEthernet 0/0/0
[AR1-GigabitEthernet0/0/0]shutdown 
Jul 30 2020 12:15:15-08:00 AR1 %%01IFPDT/4/IF_STATE(l)[0]:Interface GigabitEther
net0/0/0 has turned into DOWN state.
[AR1-GigabitEthernet0/0/0]
Jul 30 2020 12:15:15-08:00 AR1 %%01IFNET/4/LINK_STATE(l)[1]:The line protocol IP
 on the interface GigabitEthernet0/0/0.1 has entered the DOWN state. 
[AR1-GigabitEthernet0/0/0]
Jul 30 2020 12:15:15-08:00 AR1 %%01IFNET/4/LINK_STATE(l)[2]:The line protocol IP
 on the interface GigabitEthernet0/0/0.2 has entered the DOWN state. 
[AR1-GigabitEthernet0/0/0]


2020073012164541.png

20200730121728221.png

20200730121756805.png

至此,防护措施已生效。

文章标签:
云解析DNS
网络架构
安全
关键词:
DHCP欺骗
DHCP实验
宝耶需努力
目录
相关文章
jianz123
|
5天前
|
网络协议 网络安全 数据安全/隐私保护
计算机网络概念:网关,DHCP,IP寻址,ARP欺骗,路由,DDOS等
计算机网络概念:网关,DHCP,IP寻址,ARP欺骗,路由,DDOS等
jianz123
24 4
jianz123
|
15天前
|
网络协议 网络安全 数据安全/隐私保护
计算机网络概念:网关,DHCP,IP寻址,ARP欺骗,路由,DDOS等
【10月更文挑战第27天】计算机主机网关的作用类似于小区传达室的李大爷,负责将内部网络的请求转发到外部网络。当小区内的小不点想与外面的小明通话时,必须通过李大爷(网关)进行联系。网关不仅帮助内部设备与外部通信,还负责路由选择,确保数据包高效传输。此外,网关还参与路由表的维护和更新,确保网络路径的准确性。
jianz123
38 2
Codelinghu
|
1月前
|
网络协议 网络虚拟化 网络架构
【网络实验】/主机/路由器/交换机/网关/路由协议/RIP+OSPF/DHCP(上)
【网络实验】/主机/路由器/交换机/网关/路由协议/RIP+OSPF/DHCP(上)
Codelinghu
60 1
Codelinghu
|
1月前
|
网络协议 数据安全/隐私保护 网络虚拟化
【网络实验】/主机/路由器/交换机/网关/路由协议/RIP+OSPF/DHCP(下)
【网络实验】/主机/路由器/交换机/网关/路由协议/RIP+OSPF/DHCP(下)
Codelinghu
53 0
Safenetworkaccess
|
6月前
|
网络协议 网络架构
DHCP中继实验
DHCP中继实验
Safenetworkaccess
69 0
Safenetworkaccess
|
6月前
|
网络协议
DHCP实验-动态主机配置协议
DHCP实验-动态主机配置协议
Safenetworkaccess
60 0
白帽小丑
|
开发工具
debian-dhcp实验(傻瓜教程)
debian-dhcp实验(傻瓜教程)
白帽小丑
56 0
恬0917
|
vr&ar
DHCP 的综合实验
DHCP 的综合实验
恬0917
83 0
宝耶需努力
|
网络协议 网络虚拟化
【DHCP实验】使用三层交换机配置DHCP Server服务器(基于全局地址池配置)
【DHCP实验】使用三层交换机配置DHCP Server服务器(基于全局地址池配置)
宝耶需努力
251 0
宝耶需努力
DHCP中继(实验操作)
DHCP中继(实验操作)
宝耶需努力
116 0

热门文章

最新文章

  • 1
    VPC DHCP类型的ECS修改DNS
  • 2
    Cisco3750在多VLAN网络环境下DHCP的实现
  • 3
    dhcp服务器
  • 4
    使用RHEL6.3+PXE+DHCP+Apache+NFS+KickStart 无人值守安装RHEL6.3
  • 5
    PIX防火墙配置DHCP
  • 6
    windows server 2008 DHCP安装
  • 7
    DHCP 给每台主机都设置固定IP脚本
  • 8
    DHCP服务器的配置与应用——Red Hat Enterprise Linux 6.3
  • 9
    DHCP服务器问题
  • 10
    Windows Server 2008 R2 之三十一部署DHCP群集
  • 1
    配置Linux固定IP地址,为什么要固定IP,因为他是通DHCP服务获取的,DHCP服务每次重启都会重新获取一次ip,VMware编辑中有一个虚拟网络编辑器
    75
  • 2
    DHCP的开源实现及其在不同Linux发行版上的安装过程
    103
  • 3
    DHCP服务详解
    240
  • 4
    ubuntu 开启dhcp服务并配置
    338
  • 5
    DHCP 和VRRP
    53
  • 6
    网络安全笔记-day8,DHCP部署_dhcp搭建部署,源码解析
    142
  • 7
    network的使用(DHCP,BGP,OSPF,RIP使用network的异同)
    86
  • 8
    网工记背配置基础命令总结(4)---DHCP配置
    270
  • 9
    DHCP服务器原理
    85
  • 10
    DHCP的interface(接口),global(全局)配置以及DHCP relay(中继),DHCP snooping,DHCP option
    114

    • 相关课程

    更多
  • 劫持发现、定位以及解决的最佳实践

    • 相关电子书

    更多
  • 数据泄露时代的网络边界防御实践
  • 数据泄露时代的 网络边界防御实践
  • 如何产生威胁情报-高级恶意攻击案例分析

    • 相关实验场景

    更多
  • 通过云拨测对指定服务器进行Ping/DNS监测
  • 1分钟代码漏洞自动检测
    • 下一篇
    阿里云OSS设置跨域访问